hi everyone, I found the idea of tagging in PF very interesting, and we are interesting in using it for policy definitions, but here is the deal: OVER THE INTERNET!...i know i know....the "panipulated " or tagged packets, wil be capsulated into Ipsec...so problems like fragmantation or routers shouldn'T be the problem. And on the other side would be an "interpreter" or "translater" who "encodes" the tags off the packets.
It is thought to be used on ipsec gateways or ipsec brisges. now my question is: 1. Which code part of pf is responsible for such a thing? (our part will be doing it on userspace level, and not kernelspace) 2. What do you think would be problem, for the packets "on the way"? i thought since they are capsulated, it should not be a problem...and on receiver side, the packets would be joint again 8the fragmented packets) and forwarded to client (behind bridge or gateway)
